-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-009
=================================
Topic: Privilege Handling Errors In larn
Version: NetBSD-current: source prior to February 3, 2008
NetBSD 5.0.2: not affected
NetBSD 5.0: not affected
NetBSD 4.0.1: not affected
NetBSD 4.0: affected
Severity: Unprivileged Local Users Can Gain Access To "games" Group
Fixed: NetBSD-current: Feb 3, 2008
NetBSD-4 branch: Feb 3, 2008 (4.1 would include the fix)
NetBSD-4-0 branch: Feb 3, 2008 (4.0.1 includes the fix)
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Larn, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores. Properly, only
accesses to these objects should be made using the privileges of the
"games" group. However, due to improper privilege handling, the game
always runs with the privileges of the "games" group, opening up a
number of possible ways to allow an unprivileged user to gain improper
access to that group.
There is also an additional problem fixed by the same patch set: when
one wins larn, it sends the user junk mail. This junk mail is prepared
in insecure temporary files. It is likely impractical to use this to
attack another user who is playing larn; however, it might be possible
upon winning larn oneself to exploit it to gain access to the "games"
group.
Technical Details
=================
When games were changed from setuid to setgid (circa 1997) larn was
never updated to switch group IDs instead of user IDs. This meant that
when it tried to drop to a lower privilege level, nothing happened.
Thus the game always runs with access to the games group, and a number
of possible actions (most notably, writing out save files) are done
with access to the games group.
Save files can thus be written into /var/games, possibly overwriting
or damaging files belonging to other games. This creates the
possibility that ordinarily-harmless weaknesses in other games might
be exploited to gain a shell with access to group games. It also
allows denial of service against other games.
Larn also has the ability to start a sub-shell, but it always runs
/bin/csh, which under NetBSD refuses to start when setgid. It is
believed that this path is not exploitable.
Solutions and Workarounds
=========================
Removing the setgid bit from /usr/games/larn is a simple and effective
workaround, although larn will not work properly without it.
For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing larn.
The fixed sources may be obtained from the NetBSD CVS repository.
The fixes for this vulnerability are contained in the following file
revisions for each CVS branch:
CVS branch file revision
------------- ---------------- -----------
HEAD src/games/larn/bill.c 1.9
HEAD src/games/larn/header.h 1.18
HEAD src/games/larn/main.c 1.21
HEAD src/games/larn/scores.c 1.16
netbsd-4 src/games/larn/bill.c 1.7.16.1
netbsd-4 src/games/larn/header.h 1.16.2.1
netbsd-4 src/games/larn/main.c 1.17.4.1
netbsd-4 src/games/larn/scores.c 1.12.16.1
netbsd-4-0 src/games/larn/bill.c 1.7.26.1
netbsd-4-0 src/games/larn/header.h 1.16.12.1
netbsd-4-0 src/games/larn/main.c 1.17.8.1
netbsd-4-0 src/games/larn/scores.c 1.12.20.1
The following instructions briefly summarize how to update and
recompile larn. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)
To update from CVS, re-build, and re-install larn:
# cd src
# cvs update -d -P -r BRANCH FILES
# cd games/larn
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
For more information on building (oriented towards rebuilding the
entire system, however) see:
http://www.netbsd.org/guide/en/chap-build.html
Thanks To
=========
David A. Holland, who found and fixed the problem.
Revision History
================
2010-10-21 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-009.txt,v 1.1 2010/10/21 09:02:57 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJMwCWaAAoJEAZJc6xMSnBuMDwP/RJCTIDc2P4YjOCX9QLAzeOd
QBwc4a2k3nMqdJCqSx5n0gT6g2H+OFEiT+SMaWlPa5nqLtxp3DjzXcL89Si6e0+u
BDLrZAjewCKayasw7CkUDDeAAo4OR06OwkKiPiSsYFm3YBXQWRkDO82/Ni9OJRTa
KfMmvHiBfu+FSJ+RuBjbBq5j1CWlBPS9ouY+C0aYo1t6QLYMb/gmgRjGak5HQV71
ze+O/waQVS/axWwQ0bxrMNzOiI978cYFAyBrrNshT990cNdA9wWFWilLWNaKCPl4
dVqdDo7a7lucoRUo2vPYxjflB5wROO0F1jOPq63hQ62HsFrD7XiG7u30jKTfWJe5
gxPa6sL3goe1oS12IWTWrbIYLViYMJTvMUQl9wU5/U1kdIV/xDeR15zqThdI5lQ5
fWHMqPZfhJoPD7/uaLpIcALrW8057LOaezp0ck26rXPLg1o+zlylHulr0gOkDBbn
7TjK/Rkm6gafKJgsmCNnoRYHJb/OQJMUo5ZcwdYRJ5JpPPVqtO071oZG5h5c5waU
X90Bf7b3NujZeSwSNK8wVNMNMU/bGtL5AXNO9mZXiaeVv+MwtiHRudcgM4fEZt4P
PJfTAa0CKEf6zBe6iFzS5tpbTB0g7uyLt9zBIqOcxzSPP+qHCiHeY6nuifywKbqJ
U1uwVbSD1bdPUpyFMSqr
=B6eQ
-----END PGP SIGNATURE-----